How would the variable $ur1 be securely output in the template?

An Adobe Commerce developer needs to display a URL in the template.

How would the variable $ur1 be securely output in the template?
A . <?php echo $escaper->escapeUrl($url) ?>
B . <?php echo $escaper->escapeLink($url) ?>
C . <?php echo $escaper->escapeHtml($url) ?>

View Answer

Answer: A

Explanation:

To display a URL in a template securely, the developer should use the escapeUrl method of the escaper object. This method will encode any special characters in the URL that can be used for XSS attacks, such as &, <, >, ", ‘, etc. For example:

<?php echo $escaper->escapeUrl($url) ?>

The following methods are not suitable for displaying URLs and should not be used:

<?php echo $escaper->escapeLink($url) ?>: This method is used for escaping link attributes, not URLs. It will encode any characters that are valid in URLs but invalid in HTML attributes, such as spaces, quotes, etc. For example:

<?php echo $escaper->escapeLink(‘https://example.com/?q=hello world’) ?> // Output:

https://example.com/?q=hello%20world

<?php echo $escaper->escapeHtml($url) ?>: This method is used for escaping HTML content, not URLs. It will encode any characters that are valid in URLs but invalid in HTML content, such as &, <, >, etc. For example:

<?php echo $escaper->escapeHtml(‘https://example.com/?q=<script>alert(“XSS”)</script>’) ?> // Output: https://example.com/?q=<script>alert("XSS")</script>